Attorney Docket No. NTWK014/O0US (00.176.01) 

SYSTEM AND METHOD FOR KEY DISTRIBUTION IN A 

HIERARCHICAL TREE 

(lOOlJ The invention was made with Government support under Contract MDA904-00- 
C-3236. The Government has certain rights in this invention 

RECEIVED 

^ , , SEP 1 0 2001 

Background 

Field of the Invention Technology Center 2600 

[1002] The present invention relates generally to group keying systems and more 
particularly to a group key distribution mechanism. 

Discussion of the Related Art 

(1003] Secure group communication is gaining in importance, with both military and 
commercial applications in need of development. In a secure group communication, a 
trusted key server communicates with a group of N users over a multicast or broadcast 
communications channel. The trusted key server also communicates with the group of N 
users through N respective unicast communications channels that enable communications 
with individual users. 

(1004J — A unicast communications channel can be embodied in variousTonns. In one 
example, the unicast communications channel is implemented online protected by a shared 
secret. In another example, the unicast communications channel is implemented offline 
through the physical delivery of a floppy disk. A multicast or broadcast channel can also be 
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embodied in various forms, such as a wireless network, the public Internet, a cable network, 
a satellite network, a hybrid network, or the like. 

(1005) In a secure group communication, each of the N users is a member of a group that 
uses a group key to encode and decode group communications. The group key is known to 
each user and to the key server. 

[10061 In the normal course, users will frequently join and leave the group. It is 
therefore important to ensure that only the set of current users has access to a currently valid 
and secure group key. Specifically, the current group key should be secure against 
collaborative attacks from past and future users. 

(10071 Many conventional algorithms are able to use the broadcast channel to 
communicate information necessary to evict a user or users from the group or to add a user or 
users to the group. Some conventional algorithms have been adopted that reduce the 
bandwidth used on the broadcast channel to perform key operations by using a hierarchy of 
keys assigned to nodes in a tree. These keys are used to communicate update information in 
an efficient manner when a new group key is needed due to membership changes. 
1 1 0081 FIG. 1 shows an example of a hierarchical set of keys used to limit the bandwidth 
required for updating a set of 32 users. Each node in hierarchical tree 100 is associated with 
a key. The nodes in the bottom row of hierarchical tree 100 are referred to_arieaf nodes. 
The leaf nodes are associated with keys that are unique to individual Users U0-U3,. 
Specifically, user Uo is associated uniquely with the leftmost node in the bottom row, i.e., the 
leftmost leaf node; user Ui is associated with the next leaf node; and so on. 
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|1 009] Higher nodes in the hierarchy are associated with sets of users, and are referred to 
as interior nodes. Each interior node is associated with a key known to one or more users 
that descend from that node. For example, the top most key, key A (the group key), is known 
by users U0-U3, that descend from it, key B is associated with users Uo-U,5 that descend from 
it, and key D is associated with users U0-U7 that descend from it. 

[1010] In hierarchical tree 100, each user U0-U3, knows the keys coiresponding to the 
path from its leaf node up to the root node A on top. For example, user U2 knows its unique 
key, and also knows its parent node key K, its grandparent node key H, and higher level node 
keys D, B, and A. Each user therefore knows one key per level of hierarchical tree 100 on 
the way to the root node A. 

1 1 01 1 1 hi general, tree hierarchies do not have to be symmetric or binary as illustrated in 
FIG. 1 . Trees can have branching other than binary branching such that each node in the tree 
can have one or more nodes directly under it. For example, a hierarchical tree can be defined 
such that an interior node could have four nodes directly under it. 

[1012] Additionally, hierarchical trees do not have to have a uniform depth. For 
example, some users could be at leaf nodes on the sixth level, as in hierarchical tree 100, 
while other users could be at leaf nodes at the eighth, ninth, or tenth levels at other places in 
the tree. " 



[1 01 31 If a user is evicted, all of the keys the evicted user knows need to brreplaced with 
new keys. This process ensures that only authorized users have access to the secure group 
communication. For example, in hierarchical tree 100, user Uo is illustrated as being evicted. 
Therefore, the circled keys, namely keys A, B, D, H, and J, are compromised and need to be 
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replaced. The reason the key uniquely known to user Uo is not circled is that no other user 
knows that key. Therefore, key Uo will not be used again. If a new user is later added to the 
group and assigned to user Uo's leaf node, that new user will be assigned a new key uniquely 
associated with it that cannot be derived from the old user Uo's unique key. 
[1014] Each non-evicted user that knows a key that is compromised through an eviction 
must learn the value of the replacement key. One conventional method for communicating 
new values for compromised keys from a key server to a non-evicted user is the logical key 
hierarchy (LKH) method, described in section 4.2 of Wallner et al.. "Multicast Security: a 
Taxonomy and Some Efficient Constructions," September 15, 1998, which is hereby 
incorporated by reference in its entirety. In the LKH method, all compromised keys are 
generated at the key sender, i.e., the key server determines replacement values for them. 
These values are then communicated in an efficient way to the remaining non-evicted users. 
[1015] hi FIG. 2, the LKH method is illustrated for hierarchical tree 100. Encrypted 
messages containing replacement keys are sent out, as indicated by the an-ows in FIG. 2. The 
encrypted messages are depicted by arrows pointing at the nodes by whose keys they are 
encrypted. For example, the message encrypted with key B is depicted by an arrow pointing 
from node A towards node B. The encrypted message is labeled 'Eb' to indicate that it is 
encrypted with key B. ' 

[1016J As mentioned previously, the circled keys A, B, D, H, and J need to be replaced. 
In the LKH method, replacement key distribution begins at the bottom of the tree and 
progresses upward. In this framework, the first key to be replaced is key J. Key J is known 
to non-evicted user U,, and so its new value should be given to user U,. The key unique to 
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user U, is regarded as a leaf node key. Therefore, user U, receives the new key J through a 
message Eui that is encrypted with U| 's leaf node key. 

[1017] The next key to be replaced is key H. Users U, -U3 should be given the new value 
of key H. Here, key K is used to communicate the new value of key H to users U2 and U3, 
while the new key J is used to communicate the new value of key H to user U|. Specifically, 
user U, receives the new value of key H through a message Ej that is encrypted with the new 
key J, while users U2 and U3 receive the new value of key H through a message Ek that is 
encrypted with key K. Encryption under the new key J prevents evicted users from 
decrypting message Ej and obtaining the new value of key H. 

[1018] Users U.-Ut are also given the new value of key D. Users U1-U3 receive the new 
key D through a message Eh that is encrypted with the new key H, while users U4-U7 receive 
the new key D through a message E, that is encrypted with key I. Next, users U,-U,5 receive 
the new value of key B. Users Ui-U? get key B by decrypting message Ed, while users Ug- 
U,5 get key B by decrypting message Ee. Finally, users U,-U,s get the new group key A by 
decrypting message Eg, while users U,6-U3i get the new group key A by decrypting message 
Ec. 

[1019] As thus described, the LKH method enables secure distribution of new interior 
node keys upon eviction of one or more users. Two additional key distributioji_methods have 
been proposed to reduce the number of encrypted messages that are needed to-a tree update 
after a single user is evicted. These methods are the one-way function chain (OFC) and one- 
way function tree (OFT) methods. The OFC method is described in section 4.2 of Canetti et 
al., "Multicast Security: A Taxonomy and Some Efficient Considerations," Proceedings of 
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IEEE Infocom'99, March 1999. which is hereby incoiporated by reference in its entirety. 
The OFT method is described in McGrew et aL. "Key Establishment in Large Dynamic 
Groups Using One-Way Function Trees " May 20, 1998, which is hereby incoiporated by 
reference in its entirety. 

[1020] In the OFC method, the messages shown with the dotted arrows in FIG. 2 are 
eliminated, while the messages with the solid arrows are retained. In the OFT method, the 
messages are sent to the siblings instead of the children, such that there would be a message 
from B encrypted to C, from D encrypted to E, from H encrypted to I, from J encrypted to K 
and from a new Uo to U,. Both OFC and OFT require less messaging because replacement 
keys are a fimction of one (in OFC) or both (in OFT) children keys. 

[1021] It should be noted that it is possible for multiple users to be evicted from the 
group simultaneously. This could happen, for example, if multiple users are compromised 
over a period of time and the key server evicts them all at the end of the period of time (e.g., 
end of a subscription period). This aggregates the eviction process for reasons of efficiency 
[1022] For example, suppose that users Uo and U,3 are evicted simultaneously. As can 
be seen in FIG. 1, the keys known by evicted user Uo that are known by other users are keys 
A, B, D, H, and J. The keys known by evicted user U13 that are known by other users are 
keys A, B, E, N, and O. Therefore, keys A, B, D, E, H, J, N, and O should be replaced. This 
simultaneous double-eviction prevents keys A and B from being replaced twicdT 
[1023] In a large tree encompassing thousands or millions of users, many compromised 
users could accrue during a time interval. When they are simultaneously evicted after the 
time interval, there may exist a large number of keys that need to be replaced, particulariy 
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toward the bottom of the tree. For example, assume a worst case scenario in which every 
other user (i.e., users Uo. U2. U4. Ue, . . . ) is evicted. In a symmetric binary tree having 32 leaf 
nodes, 16 separate encrypted messages would be required to inform the non-evicted users 
(i.e., users U,, U3, U5, U7, . . . ) of the replacement keys for the first level of interior nodes 
above the leaf nodes. Additional encrypted messages would also be required to replace the 
rest of the compromised keys at higher levels of the tree. This communication cost becomes 
excessive when the tree encompasses millions of users. What is needed therefore is an 
efficient group key distribution mechanism. 



Brief Description of the Drawings 

[1024] FIG. 1 illustrates a hierarchical tree of nodes. 

[1025] FIG. 2 illustrates an eviction of a user. 

[1026] FIGS. 3 A and 3B illustrate a self-repairing group. 

[1027] FIG. 4 illustrates update messages for a self-repairing group. 

[1028] FIG. 5 illustrates a modified hierarchical tree. 

[1029] FIGS. 6 and 7 illustrate examples of a power set. 

[1030] FIGS. 8A, 8B, 9, lOA, lOB, and 1 1 illustrate examples of user eviction. 

[1031] FIG. 12 illustrates a process for updating compromised keys. - ~ 

[1032] FIG. 13 illustrates an effect of self-repairing groups. 
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Detailed Description 
[1033] An embodiment of the invention is discussed in detail below. While specific 
implementations are discussed, it should be understood that this is done for illustration 
puiposes only. A person skilled in the relevant art will recognize that other components and 
configurations may be used without departing from the spirit and scope of the invention. 
110341 The efficiency of group key distribution using hierarchical trees (e.g., a binary 
tree) can be judged based upon its ability to handle multiple-user evictions. In accordance 
with the present invention, the impact of multiple-user evictions is reduced through the 
effective truncation of the hierarchical tree. To illustrate this concept, reference is made first 
to a portion of hierarchical tree 100 of FIG. 1. 

11035] FIG. 3 A shows the bottom-left portion of hierarchical tree 100. Specifically, tree 
portion 310 shows the set of node keys D, H. I, J, K, L, and M that are unique to the set of 
users U0-U7. As described, in a worst-case eviction scenario where users Uo, U2, U4, and Ug 
are evicted, node keys at the first interior node level (i.e., node keys J, K, L, and M) above 
the leaf nodes would each be compromised. Encrypted messages updating keys J, K, L, and 
M would then be sent to users U,, U3, U5, and U7, respectively. Further encrypted messages 
updating interior nodes at higher levels of the tree would be sent as would be apparent. 

^^^^^\ I" scenario, the cost of sending encrypted update messages is4Hgh. This cost 

becomes excessive as the number of users increases. Significantly, the bulk7)f the cost is 
incurred in updating the interior nodes at the bottom levels of the tree. In accordance with 
the present invention, the cost of updating interior nodes at the bottom levels of the tree is 
reduced through the creation of a self-repairing group of users. 

8 
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(10371 The concept of a self-repairing group of users is described with reference to tree 
portion 320 illustrated in FIG. 3B. Tree portion 320 of FIG. 3B is roughly analogous to tree 
portion 310 of FIG. 3A in that the set of users U0-U7 shares a common interior node key D. 
[1038] One of the properties of the self-repairing group is that each of its members can 
independently update the shared interior node key. Updating of the shared interior node key 
is not dependent on key distribution messages from the root node that update further node 
keys descending from the shared interior node key. The eUmination of encrypted messages 
therefore enables the shared interior node key to be generated in a single step. 
[1039] In the context of FIG. 3B, each of users U0-U7 is able to independently update 
shared key D. Encrypted key distribution messages that previously updated interior nodes H, 
I, J, K, L, and M (see FIG. 3A) would not be required. Rather, users U0-U7 can update 
shared key D in one step. For this reason, users U0-U7 in the self-repairing group of FIG. 3B 
are illustrated as being connected to node D using dashed lines. 

(1 040] In one embodiment, the updating process is initiated through the transmission of a 
update request message. This update request message can include the identities of the 
evicted user(s). Each non-evicted user in the self-repairing group uses this information to 
recalculate the shared interior node key. A detailed description of an embodiment of a 
update process is described below in the context of a reusable power set. 
[1041] FIG. 4 shows the impact of a self-repairing group on key distributimi methods as 
compared to conventional methods, hi FIG. 4, user Uo has been evicted. Therefore, keys A. 
B, D, H, and J are compromised and need to be replaced. In conventional key distribution 
methods such as OFT and OFC. encrypted messages Eu,, Ek, E,, Ee, and Ec are sent by the 
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root node to update the compromised keys. In particular, the dotted messages Eu,, Ek, and E, 
are used by non-evicted users U.-Uy to obtain, in an incremental manner, the new value of 
key D. The solid messages Ee and Ec are used by the remaining non-evicted users to obtain 
the new value of group key A. 

[1042] In accordance with the present invention, dotted messages Eu,, Ek, and E, are 
eliminated because users U0-U7, which form a self-repairing group, can independently update 
key D. This one-step update process for the entire self-repairing group obviates the need for 
the sequential determination of node keys at levels between node D and the users U0-U7. 
Interior node keys such as keys H-M are therefore unnecessary for the incremental 
distribution of information to determine the shared key D. 

11043] As further illustrated in FIG. 4, an additional message Ed is shown. This update 
request message Ed. which may be optionally encrypted using key D. is intended for the non- 
evicted users U, -U7 of the self-repairing group. As noted, the update request message Ed can 
include a list of evicted members of the self-repairing group that have been evicted. As will 
be described in greater detail below, the non-evicted membere of the self-repairing group can 
use this list of evicted members to update the common key D in a manner that prevents 
access by the evicted users. In comparison to conventional methods, this update request 
message Ed, in effect, replaces the encrypted messages Eu,, Ek, and E,, therebjTTeducing the 
bandwidth required for key distribution. - 
[1044] In general, the formation of self-repairing groups within a hierarchical tree 
effectively truncates the tree for the purpose of update messages. The common node of a 
self-repairing group effectively operates as a leaf node. This leaf-type node dictates that 

10 
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update messages need not be produced by the root node to update nodes beyond the leaf-type 
node. The interior common node of the self-repairing group is therefore converted into a 
leaf-type node, effectively truncating the tree. 

I1045J FIG. 5 graphically shows the effects of tree-truncation in accordance with the 
present invention. In this example, assume that users under interior nodes D, E, F, and G are 
formed into four separate self-repairing groups 510, 520, 530. 540 with eight users each. As 
each self-repairing group 510, 520, 530, 540 can be represented by a leaf-type node, the tree 
is effectively cut off at the third level. Levels four through six at the bottom of the tree are 
eliminated, leaving a truncated tree having nodes A-G. 

[1046] The elimination of the lowest levels of the tree results in a large cost savings in 
the distribution of key information. As noted, in a worst-case eviction scenario where every 
other user is evicted, the number of encrypted messages needed to update the nodes at the 
first level above the user nodes is equivalent to one-half the number of users. This cost alone 
becomes prohibitive when the number of users becomes large. 

I1047J For example, consider a balanced binary tree that supports 8192 users. This 
balanced binary tree would have 4096 interior nodes at the first level above the leaf nodes. 
In a worst-case eviction scenario, 4096 encrypted messages would be needed to update those 
4096 interior nodes. " 



[1048] In the illustrated example of FIG. 5, the simplified tree with nodes A-G can be 
thought of as a tree above a set of self-repairing groups instead of the conventional concept 
of a tree above a set of users. Significantly, the key distribution process of the tree above the 
self-repairing groups can operate in the same way as the conventional key distribution 
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process of the tree above a set of users. Accordingly, the tree-truncation feature of the 
present invention can be applied to any hierarchical key distribution scheme (e.g., LKH, 
OFT, OFC, etc.). 

[1049] In the illustrated example of FIG. 5, the cost savings can be appreciated when 
considering the starting point of key distribution messages in the truncated tree. As each of 
the 8-user self-repairing groups can be represented by a leaf-type node, encrypted update 
messages would start at the third level of the tree (i.e., nodes D, E, F, and G). The total cost 
of updating the tree would therefore be equivalent to the cost of updating interior nodes from 
the third level on up to the first level. 

[1050] This same cost would be incurred in the updating of the conventional 32-user tree 
of FIG. 5 after the interior nodes at the fourth and fifth levels have been updated. For the 
fifth level alone, 16 encrypted messages would be required. This cost, in addition to the 
updating of the interior nodes at the 4"^ level, would therefore be eliminated if 8-user self- 
repairing groups were used to truncate the tree. 

[1051] In general, the application of self-repairing groups to hierarchical trees serves to 
eliminate the large cost of updating the lowest levels of the tree. The number of levels of 
eliminated updates is dependent on the size of the self-repairing groups that are used. In the 
above example, 8-user self-repairing groups were used to eliminate two levels.of updates. If 
16-user self-repairing groups were used, then three levels of updates aTfe eliminated. 
Implementation considerations relating to the size of the self-repairing groups are discussed 
in detail below. 
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[10521 It should also be noted that self-repairing groups can be applied to any type of 
tree. The tree is not required to be binary or balanced. Self-repairing groups generally can 
be used to represent any group of users that have a shared node. These groups may also exist 
at varying levels of the tree. 

[1053] Having described a general framework for tree truncation, an embodiment of a 
self-repairing group mechanism is now provided. In one embodiment, the self-repairing 
group is based on a reusable power set (RPS). As detailed below, the RPS enables a self- 
repairing group to independently update a shared secret (e.g., an encryption key) when one or 
more users are evicted. 

[1054] A RPS uses the power set of the set of users in a group as a basis for group key 
updates. The set of all subsets of a set is referred to as the power set of that set. To illustrate 
the concept of power sets, consider the case of N=3 in FIG. 6. In the illustrated example, the 
group includes three users Uo, U,, and U2. The power set of the three-user group contains 2'^ 
= 2' = 8 sets, each of which is a subset of the set of users. Specifically, the power set in this 
case IS { {}, {Uo}, {U,}, {Uo, U,}. {U^j, {Uo, U2}, {U,, U2}, {Uo, U,, U2} }. 
[1055] hi one embodiment described below, the power set minus the empty set {} is 
used, thereby leaving a set of 2^ - 1 elements. This set is referred to as the modified power 
set. Each set in the modified power set has a secret (or key) associated with it. In the 
following description, the secrets unique to the particular sets are referred tO as keys. It 
should be noted, however, that the shared secrets need not be used to enable secure 
communications between particular subsets of users. The key associated with set {U,} is 
denoted as key Ku,. For ease of description a binary representation is adopted. In this binary 
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representation, each of the N members of the group is represented by an N-bit binary number 
with a T at its position and a '0' at each other position. User Uq's bit position is the 
rightmost bit, and user Un-i 's bit position is the leftmost bit. 

[1056] For the case of N=3, therefore, the {U2} element is represented by the binary 
number (100); the element {U,} is represented by the binary number (010); and the element 
{Uo} is represented by the binary number (001). FIG. 6 shows a Venn diagram illustrating 
the group of three users Uo, U,, and U2 and the modified power set associated with the group. 
Each set has a key associated with it. For example, the element {Uo, U,} has the key Ko„ 
associated with it. 

11057] For further ease of description, keys are also refen-ed to below using their decimal 
representation. For example, the key associated with set {Uo. U,) can be denoted in binary 
as Koi i or in decimal as K3. 

[1058] FIG. 7 illustrates the modified power set for a group with N=5 in graphical form. 
Each row in the figure contains a binary representation of a set in the modified power set. 
I.e., a binary key number. A solid block represents a '1', and an empty block represents a 
'0'. Each row contains five blocks, one for each member of the group for the case N=5. The 
rows are indexed by their decimal equivalent on the left. For example, key number '5' 
converts to '00101.' *~ ' 



[1059] In an embodiment in which the modified power set is used, a froup with N 
members has 2^ - 1 keys associated with it. For example, in FIG. 7, we see that there are 2^ 
-1=31 rows, or keys, associated with a group of N = 5 members. The trusted key server 
knows all of the keys associated with a group, but users operate on a need to know basis. A 
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user knows a key if and only if the user is in the set corresponding to the key. Therefore, a 
user knows only those keys that are associated with sets of which it is a member. 
11060] For example, as can be seen in FIG. 7, key number 25 corresponds to ' 11 001' in 
binary. The solid blocks in the row corresponding to key 25 correspond to users U4, U3, and 
Uo. Therefore, key K25 corresponds to set {Uo, U3, U4}, with binary representation (11001). 
Thus, key K25 is known to the key server, user U4, user U3, and user Uo. Users U, and U2 do 
not know key K25 since they are outside of the set {Uo, U3, U4} . 

[1061 J As noted, each user knows a subset of the keys used by the group. As illustrated 
in FIG. 7, a user knows the set of keys that have the block in that user's particular column 
filled in. For example, user U4 knows the set of keys that have the leftmost block in their 
row filled in, i.e., key numbers 16-31, while user U3 knows the set of keys that have their 
second block filled in. i.e., key numbers 8-15 and 24-31. hi a group with N members, each 
user knows 2^ ' keys. Therefore, in the N = 5 case illustrated in FIG. 7, each user knows 2^-' 
= 1 6 keys. The key server knows all 2^ - 1 = 3 1 keys. 

[1062] When a user is evicted from a group, each key that the user knows can no longer 
be used for secure communications without creating a risk that the evicted user will gain 
unauthorized access. The set of keys known by the evicted user is said to be compromised. 
For example, if user U3 is evicted from the group then all of the keys knovsoLt'o user U3 are 
compromised, i.e., key numbers 8-1 5 and 24-31 . 

[1063] When a key is compromised, it should be replaced. One possible method of 
replacement is for the key server to generate a new, substitute key. The key server then 
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communicates the generated key to all users who need to know it. As noted, this 
communication comes with significant bandwidth costs for new key distribution. 
(10641 In accordance with the present invention, compromised keys are updated 
independently and separately by each entity that needs to know it, i.e., by the key server and 
by each non-evicted user. Each user that needs to know the compromised key, and only 
those users, should be able to update the compromised key on its own. Evicted users should 
not be able to collaboratively determine the updated keys. 

I1065J Before discussing an embodiment of a process of updating a key, it will prove 
useful to analyze the implication of an eviction. Consider the example of FIG. 8 A. FIG. 8A 
shows the set associated with key number 15. As can be seen from FIG. 7, 15 is '01 1 1 1 ' in 
binary, so the set corresponding to key number 15 is {Uo, U,, U2, U3}. FIG. 8A also shows 
user U3 as crossed out, indicating that user U3 has been evicted. 

[10661 It is the eviction of user U3 that has compromised the key K.j. The rest of the set 
that would be left over if user U3 were to be removed would be {Uo, U, , U2} . FIG. 8B shows 
the resulting subset {Uo, U,, U2}. The key associated with that subset. K7, is not 
compromised because it does not contain evicted user U3. Significantly, key K7 is known to 
each non-evicted user in the set {Uo, U,, U2, U3} associated with compromised key K,5, i.e., 
it is known to users Uo, U,. and U2, but not user U3. Additionally, it is notj^own to any 
users that are not in the set associated with compromised key K,5, i.e., it is notlcnown to user 
U4. 

11067] In one embodiment, each compromised key is updated by the key server and the 
non-evicted users. A key can be updated by using one or more keys to generate a 
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replacement key. In order to prevent any possible collusion among evicted members to 
obtain the updated key, at least one of the keys used to generate a replacement key should be 
an uncompromised key. 

(10681 A candidate to use as an uncompromised key to generate a replacement for a 
compromised key would be the key known to every non-evicted user in the set associated 
with the compromised key. As shown in FIGS. 8A and SB, when user U3 is evicted from the 
group, thereby compromising key K,5, key K7 is the key known to every non-evicted user in 
the set associated with compromised key K,5. Key K7 is therefore a candidate to use to 
regenerate key K15 following the eviction of user U3. It is worth noting that keys K,5 and K3, 
are also known to every non-evicted user in the set associated with the compromised key; 
however, those keys are also known to other non-evicted users, which could lead to security 
problems. Therefore, in one embodiment, a key used to update a compromised key is the key 
known only by all of the non-evicted users that also know the compromised key. 
[1069] FIG. 9 shows the impact of an eviction of user U3 on all of the keys. As noted, 
when user U3 is evicted, key numbers 8-15 and 24-31 are compromised. In one embodiment, 
each compromised key that is known by a non-evicted user should be updated. Specifically, 
key numbers 9-15 and 24-31 should be updated. Key Kg is not knovra to any non-evicted 
users, so it does not need to be updated. Key Kg may be generated by.the^k^^ server and 
assigned to a new user that subsequently occupies user U3 's slot. - 
[1070] A compromised key may be updated using the key known only to all of the non- 
evicted users in the set associated with the compromised key. An example of this condition 
was illustrated in FIGS. 8A and 8B. Here, key K,5, which is known by non-evicted users Uo, 
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U,, and U2 as well as evicted user U3, is updated using key K7, which is known only to non- 
evicted users Uo, U,, and U2. Similarly, key Ku, which is known by non-evicted user U2 as 
well as evicted user U3, is updated using key K4, which is known only to non-evicted user U2. 
[10711 As shown in FIG. 9, there are two blocks of compromised keys: key numbers 8- 
15 and 24-31. Key Ks is not known to any non-evicted users, so it does not need to be 
updated. Keys K9-K,s are updated using the respective keys in which user U3 has been 
removed from the set associated with the key, namely keys K.-Ky. respectively. Similarly, 
keys K24-K31 are updated using keys K16-K23, respectively. 

[1072] FIG. 10 illustrates the effect of a double eviction. Specifically, FIG. 10 illustrates 
the effect of a simultaneous eviction of users U, and U3 on key K15. FIG. 10 shows that 
when evicted users U, and U3 are removed from the set associated with key K,5, the 
remaining set is {Uo, U2}, the set associated with key K5. Because K5 is the key known only 
by the non-evicted users that also know compromised key K,5, it can be used to updated key 

K,5. 

[1073] FIG. 11 illustrates the effect of the simultaneous eviction of users U, and U3 on 
the entire set of keys. In this case, the only uncompromised keys are keys Ki, K,, K5, K|6, 
Ki7, K20, and K21. The remaining keys need to be updated. 

[1074] Of the remaining keys, keys Kj, Kg, and K,o aren't updated becauseThey are not 
known by any non-evicted users. Here, it is useful to observe that if a compromised key is to 
be generated, i.e., if it corresponds to a set containing only evicted users, then the set of non- 
evicted users that also know the compromised key is the empty set. There is therefore no key 
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corresponding to the empty set. Accordingly, none of the keys can be used to update the 
compromised key. 

110751 In a similar fashion to the single eviction case, the key used to update a 
compromised key is the key known only by all of the non-evicted users that also know the 
compromised key. FIG. 1 1 shows the compromised keys and the respective uncompromised 
keys used to update them. As described with reference to FIG. 10, key Kj is used to update 
key Ki5. 

110761 The process of updating and generating keys is illustrated in the flowchart of FIG. 

12. In the illustrated embodiment, the process begins at step 1202 with the selection of a 
compromised key K^, where x is an integer between 1 and 2^ - I. For the compromised key 
Kx, it is then determined at step 1204 whether a key Ky exists. Here, Ky is the key known 
only by all of the non-evicted users that also know K,. In the double eviction example of 
FIG. 10, where users Ui and U3 were evicted, key K,5 can be updated using key Ky Key K5 
is the key known only by the non-evicted users that also know compromised key K,5. 
(10771 If, at step 1204, key Ky is detennined to exist, then key K^ is updated using Ky at 
step 1206. If, at step 1204, key Ky is detennined not to exist, then a new key Kx is generated 
by the key server. As noted above, the generation of new keys occurs when the 
compromised key Kx is known only by the evicted user<s). For example^ ilT the double 
eviction scenario of FIG. 11, new keys K2, Kg. and K,o would need to be g^erated by the 
key server. 

(10781 After key Kx is either updated or replaced by a newly generated key, the process 
then proceeds to step 1210 where it is determined whether more compromised keys need to 
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be processed. If more compromised keys need to be processed, then the process loops back 
to step 1202. 

11079] The procedure of FIG. 12 is used by the key server, which knows all 2^ - 1 keys. 
A non-evicted user that knows a compromised key also updates the compromised key. It 
should be noted that a non-evicted user will not know any key that should be newly 
generated by the key server because a key that should be generated is not known to any non- 
evicted users. Therefore, the procedure used by a non-evicted user to process a compromised 
key Kx is the same as the procedure used by the key server except that the failure to find a 
key Ky will not result in an action by the non-evicted user. Only the key server generates 
keys. 

[10801 In one embodiment, non-evicted users are sent information about the identities of 
the users that are evicted. Using this information, each non-evicted user then updates the 
compromised keys that it knows. The key server also updates all compromised keys. This 
results in a consistent, uncompromised updated key set. 

[10811 As noted, in one embodiment, a key used to update a compromised key is the key 
known only by the non-evicted users that also know the compromised key. Li one 
embodiment, the update of compromised keys is performed through a function with the 
following three properties: (1) knowledge of the updated key does not give kaaA^iedge of the 
compromised key or the updating key, (2) knowledge of the compromised key"^oes not give 
knowledge of the updated key, (3) knowledge of the compromised key and the updated key 
does not give knowledge of the updating key. A function with these properties will deny 
access to evicted users and control access by valid users. A cryptographic one-way function 
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has these features. In general, a cryptographic one-way ftjnction is a function that does not 
have an easily computable inverse or easily computable collisions (collisions are where two 
input values give the same output value). For example, if F() is a one-way function, we 
could update compromised key Kx with F(Ky). 

11082J The following example illustrates a security breach that would result from using 
an invertible, rather than a one-way function. Suppose, as in FIG. 9, that user U3 is evicted. 
As described above, key K.s is preferably updated using key K7. Suppose an invertible 
function fO is used and key K,5 is updated with f(K7). A new user that comes in and is 
assigned to slot 3 as the new user U3 will be given the new key K,5 = f^Kj). Because key K7 
was not compromised, it is still used. Therefore, if f() is an invertible fUnction, the new user 
U3 will be able to invert key K,5 to obtain key K7. Because U3 is not a member of the set 
associated with key K7, this results in a security breach. Therefore, if a function is used, it 
should be a one-way, or noninvertible, function. 

11083] Another example illustrates a security breach that would result from using F(Ky) 
to replace K^. Suppose, as in FIG. 11, that users U, and U3 are evicted. As a result, 
numerous keys are compromised, including keys K7, K.j, and K,5, with binary 
representations (00111), (01101), and (01111), respectively. The same key having a binary 
representation (00101) is used to update each of these three compromised ksiiZ Therefore, 
the replacement values for each of keys K7, K,3, and K,5 is the same, F(K5). " 
[1084] Thus, even if a one-way function is used, it will need more than one input to 
prevent the problem just described. In one embodiment, a one-way function with multiple 
inputs (e.g., two) is used. Because it is preferred to use key Ky in updating key Kx, one of the 
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two inputs could be Ky. The other input(s) could be used to obtain uniqueness. For example 
'x,' the numeric value of the set corresponding to the compromised key, could be used. Key 
Kx could therefore be updated with F(x, Ky), where F() again is a one-way function. While 
the use of 'x' would provide uniqueness, the updated keys may be subject to security risks 
due to the possible non-confidentiality of the value 'x.' 

[1085] Thus, in one embodiment, the input to the one-way function is a unique pair of 
keys (or other data values) that are known only to the non-evicted users that know the 
compromised key K,. In this embodiment, the updated value of a compromised key Kx is 
based on F(Kx, Ky). This ensures that each replacement key will be unique, that only 
authorized users will know it, and that it will not be useable by a new user to obtain keys not 
authorized to that user. 

[1086] As noted above, the function F need not be a one-way function. Any function 
having the properties of (1) knowledge of F(Kx, Ky) does not give knowledge of K^ or Ky, (2) 
knowledge of Kx does not give any knowledge of F(Kx, Ky), and (3) knowledge of F(Kx, Ky) 
and Kx does not give any knowledge of Ky, can be used. 

[1087] Significantly, no collection of past, present, and future users can collaborate to 
find any key not known to a member of the collection. The following example shows how, 
after a sequence of two evictions, the two evicted users cannot collude to ohJaTn any keys. 
For ease of explanation, the set of keys after the first eviction are denoted K'.'and the set of 
keys after the second eviction are denoted K". In this example, the group includes four users 
Uo, U,, Uz, and U3. User U3 is evicted first, followed by the eviction of user U2. The initial 
state of the system is illustrated in Table 1. 
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U3 


U2 


Ui 


Uo 


Key 1 (Koooi) 


0 


0 


0 


1 
1 


Key2(Koo,o) 


0 


0 


1 


0 


Key3(Kooii) 


0 


0 


1 


1 

i 


Key4(Koioo) 


0 


1 


0 


0 


Key5 (Koioi) 


0 


1 


0 


1 


Key6(Kono) 


0 


1 


1 


0 


Key7(Ko„i) 


0 


1 


1 


1 


Key8(K,ooo) 




0 


0 


0 


Key9(K,oo,) 




0 


0 


1 


KeylO(K,o,o) 




0 


1 


0 


KeylKK.oii) 




0 


1 


1 


Keyl2(Knoo) 




1 


0 


0 


Keyl3(K„oi) 




1 


0 


1 


Keyl4(K,no) 




1 


1 


0 


Key 15(K,ni) 




1 


1 


1 



Table 1 



[1088] As illustrated, each user Uo, U,, U2, and U3 maintains those keys that are 
identified by a '1' in that user's respective column. For example, user U3 maintains copies of 
key numbers 8-15. 

[1089] The first eviction that occurs is the eviction of user U3. The keys 8-15 belonging 
to user U3 are marked as compromised in Table 2. 





U3 


1 U2 


u, 


Uo 


Key 1 (Koooi) 


0 


0 


0 


1 


Key2(Kooio) 


0 


0 


1 


0 


Key3(Kooii) 


0 


0 


1 


1 


Key4(Ko,oo) 


0 


1 


0 


0 


Key5(Ko,oi) 


0 


1 


0 


1 


Key6(Ko,,o) 


0 


1 


1 


0 


Key7(Kom) 


0 


1 


1 


1 


Key 8 (K.ooo) 


1 


0 


0 


0 



Compromised 
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Key9(K,oo,) 




0 


0 


1 


Key 10(K,o,o) 




0 


1 


0 


Key IKK.on) 




0 


1 


1 


Key 12(Knoo) 




1 


0 


0 


Key 13(Knoi) 




1 


0 


1 


Key 14 (K, no) 




1 


1 


0 


Keyl5(K,Mi) 




1 


1 


1 
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Table 2 



Compromised 
Compromised 
Compromised 
Compromised 
Compromised 
Compromised 
Compromised 



[1090] In response to the eviction of user U3, the key server notifies the non-evicted users 
Uo, U,, and U2 that user U3 has been evicted. Then, the key server updates compromised 
keys 9-15, and generates new key 8. 

[1091] Upon notification of the eviction of user U3 , each non-evicted user also updates 
the compromised keys that it knows. Specifically, user U2 updates keys 12-15, user U, 
updates keys 10, 11, 14, and 15, and user Uo updates keys 9, 11, 13, and 15. Table 3 
illustrates the replacement values for each of the compromised keys. The compromised keys 
are highlighted with an asterisk. 





U3 


U2 


1 Ui 


Uo 


Updated Key Value 


Keyl 


0 


0 


0 


1 


K'oooi = Koooi (Unchanged) 


Key 2 


0 


0 


1 


0 


K'ooio = Kooio (Unchanged) 


Key 3 


0 


0 


1 


1 


K'ooii =Kooii (Unchanged) 


Key 4 


0 


1 


0 


0 


K'oioo = Koioo (Unchanged) 


Keys 


0 


1 


0 


1 


K'oioi ~ Koioi (Unchanged) 


Key 6 


0 


1 


1 


0 


K'oi 10 = Koi 10 (Unchanged) — 


Key? 


0 


1 


1 


1 


K'oiii =Koiii (Unchanged) 


Key 8* 




0 


0 


0 


K'iooo = New Keyi 


Key 9* 




0 


0 


1 


K'looi = F(Kiooi, Koooi) 


Key 10* 




0 


1 


0 


K'loio = F(Kioio, Kooio) 


Key 11* 




0 


1 


1 


K'loii = F(Kioii, Kooii) 


Key 12* 




1 


0 


0 


K'lioo = F(K|ioo, Koioo) 


Key 13* 




1 


0 


1 


K'lioi =F(Kiioi, Koioi) 
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Key 14* 


1 


1 


1 


0 


K'iiio-F(Kiiio, Koiio) 


Key 15* 


1 


1 


1 


1 


K'lii, = F(Kii,i,Kom) 



Table 3 



(10921 As illustrated, keys 1-7 are not compromised and are therefore left unchanged. 
Key 8 is compromised and is generated by the key server. Keys 9-15 are compromised and 
are updated. The new values for the updated keys are based on F(Kx, Ky). where F() is a one- 
way fiinction. As noted above, Kx is the compromised key, while Ky is the key known only 
to the non-evicted users that also know the compromised key. 

[1093] At this point, a new user is added to the group by the key server distributing the 
updated K' keys to the new user. The old evicted user U3 cannot masquerade as a member of 
the group because the evicted user U3 has no keys in common with any group member. 
[1094] Now, suppose that user U2 is evicted. The keys belonging to user U2 are marked 
as compromised in Table 4. 





U3 


U2 


u, 


Uo 


Current Value 


Key 1 


0 


0 


0 


1 


K'oooi — Koooi 


Key 2 


0 


0 


1 


0 


K'ooio — Kooio 


Keys 


0 


0 


1 


1 


K'ooii = Koon 


Key 4 


0 


1 


0 


0 


K'oioo ~ Koioo 


Keys 


0 


1 


0 


1 


K'oioi = Koioi 


Key 6 


0 


1 


1 


0 


K.'oiio = Kono 


Key? 


(T 


1 


1 


1 


K'oni = Koni 


Keys 




0 


0 


0 


K'iooo = New Keyi 


Key 9 




0 


0 


1 


K'looi = F(Kiooi, Koooi) 


Key 10 




0 


1 


0 


K'loio = F(Kioio, Kooio) 


Key 11 




0 


1 


1 


K'loii = F(Kion, Koon) 


Key 12 




1 


0 


0 


K' MOO = F(Ki 100, Koioo) 


Key 13 




1 


0 


1 


K'noi = F(Knoi. Koioi) 


Key 14 




1 


1 


0 


K'nio = F(Kiiio, Kono) 



Compromised 
Compromised 
CompWmised 
Compromised 



Compromised 
Compromised 
Compromised 
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1 1 I 1 I K'liii - F(Kiiu, Kqiii) I Compromised 



Table 4 



I1095I As shown in Table 4, keys 4-7 and 12-15 are compromised by the eviction of user 
Uz. Table 5 shows the subsequent key update. 





U3 


U2 


u, 


Uo 


Updated Key Value 


Key 1 


0 


0 


0 


1 


K"oooi = K'oooi -Koooi (Unchanged) 


Key 2 


0 


0 


1 


0 


K 0010 ~ K'ooio ~ Kimif) fUnchanppH^ 


Key 3 


0 


0 


1 


1 


K*'oon =K*ooii =Koon (Unchanged) 


Key 4* 


0 


1 


0 


0 


K"oioo = New Key2 


Key 5* 


0 


1 


0 


1 


K^oioi F(K'oioi, K'oooi) 
= F(Koioi, Koooi) 


Key 6* 


0 


1 


1 


0 


K' 'oi 10 = F(K'ono, K'ooio) 
= F(Koiio, Kooio) 


Key 7* 


0 


1 


1 


1 


K"oiii F(K'oiM, K'ooii) 
= F(Koni, Kooii) 


Key 8 


1 


0 


0 


0 


K"iooo = K'looo = New Keyi (Unchanged) 


Key 9 


1 


0 


0 


1 


K"iooi =K'iooi =F(Ki 001, Koooi) (Unchanged) 


Key 10 


1 


0 


1 


0 


K"ioio = K'loio = F(Kioio, Kooio) (Unchanged) 


Key 11 


1 


0 


1 


1 


K"ioii ==K'ion = F(Kj on, Kqoii) (Unchanged) 


Key 12* 


1 


1 


0 


0 


K"iioo = F(K'iioo, K'looo) 

= F(F(Ki 100, Koioo), New Keyi) 


Key 13* 


1 


1 


0 


1 


K^'noi =F(K'iioi, K'looi) 

= F(F(K, ,01, Koioi), F(Kiooi, Koooi)) 


Key 14* 


1 


1 


1 


0 


K"ino==F(K'ino, K'loio) 

= F(F(Kiiio, Koiio), F(Kioio, Kooio)) 


Key 15* 


1 


1 


1 


1 


K"nM-F(K^in,K',oi,) 

= F(F(Kun,Koiii), F(Kioi,, Koon)) 



[10961 In particular, Table 5 shows the value of each key after the second update, made 
in response to the second eviction, i.e., the eviction of user U2. The asterisk identifies the 
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keys compromised by the second eviction. As illustrated, key 4 is generated while keys 5-7 
and 12-15 are updated. 

[1097] In a similar manner to the first eviction of user U3, compromised keys 5-7 and 1 2- 
15 are updated separately by the key server and by each non-evicted user that knows the 
particular compromised key. 

[1 098] The right hand column in Table 5 shows the value of the updated keys K' ' first in 
terms of the previously updated keys K' after the first eviction, and then in tenns of the 
original keys. For example, consider the example of key 12, where K"i,oo = F(K'iioo, 
K',000). hi other words, key 12 (after the second eviction) is based on key 12 after the first 
eviction as well as key 8 after the first eviction. Similarly, key 12 after the first eviction is 
based on original key 12 as well as the original key 4 (i.e., K'noo = F(K, ,00, Ko.oo), see Table 
4). Key 8 after the first eviction is the generated key New Key, (see Table 4). The value of 
K", ,00 can then be represented in terms of the original keys by substituting in the appropriate 
values for the K' keys, yielding K"„oo = F(K'hoo. K',000) = F(F(K, ,00, Ko,oo). New_Key,). 
(1099] Suppose now, that the evicted users U3 and U2 decide to get together and share all 
of the keys they know. Despite their collusion, users U3 and U2 cannot infer any currently 
active key. The following illustration in Table 6 describes, for each currently active key, 
why that key cannot be derived or inferred by the evicted users, even if they collude. 



Key 


Reason 


Key 1 (K"ooo.) 


Equals Koooi, which is never known to the colludere 


Key2(K"oo.o) 


Equals Kooio, which is never known to the colluders 


Key3(K"ooM) 


Equals Kooi 1, which is never known to the colluders 


Key4(K"o<oo) 


Equals New-Keya, which is never known to the colluders 
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Key5(K"o,oi) 


Derived from Kqooi, which is never known to the 
colluders 


Key6(K"o,,o) 


Derived from Kqoio, which is never known to the 
colluders 


Key7(K"o,„) 


Derived from Koou, which is never known to the 
colluders 


Key8(K",ooo) 


Equals New-Keyi, which is never known to the colluders 




Derived trom Koooi, which is never known to the 
colluders 


ivey iu (K loio; 


JJenved trom Kooio, which is never known to the 
colluders 


Key 1 1 101 1) 


Denved trom Kooii, which is never known to the 
colluders 


Key 12(K"noo) 


Denved from K'looo, which is New-Key,, which is never 
known to the colluders 


Keyl3(K"noi) 


Denved from K*iooi, which is derived from Koooi, which 
is never known to the colluders 


Keyl4(K"nio) 


Denved from K'loio, which is derived from Kooio, which 
is never known to the colluders 


Keyl5(K"in,) 


Denved from K' ,oi i, which is derived from Kooi i , which 
is never known to the colluders 



Table 6 



[11 00] Table 6 is noteworthy because it illustrates the evolution of the key set over time. 
After an eviction, the key set remains constant until another eviction occurs. It should be 
noted that, in one embodiment, the key set is modified periodically to protect against time- 
consuming attempts to derive the keys. 

[11 01 J In another embodiment, artificial evictions are performed just prior to" an addition 
of a user Thir artificial eviction prevents the new user from decoding any communications 
sent during the period from the previous eviction and the current addition, hi other words, 
the artificial eviction ensures that the new user will get a set of keys that are valid only from 
the time of the user's addition. 
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(11021 As thus described, the RPS group provides a mechanism that enables the key 
server and the group users to update the keys independently. Encrypted key distribution 
messages can therefore be eliminated in the portion of the hierarchical tree that the RPS 
group replaces. As described above, self-repairing groups can be applied to any type of key 
distribution method (e.g., LKH, OFT, and OFC). 

[1103] To illustrate the particular application of RPS groups to a hierarchical tree, 
consider the example hierarchical tree illustrated in FIG. 4. In the illustrated example, an 
RPS group is defined for users U0-U7, with user Uq being evicted. An update request 
message Ed is then broadcast to non-evicted users U1-U7. The update request message 
instructs each of the non-evicted users U1-U7 to update all of the compromised keys. In this 
case, the compromised keys are illustrated as those keys identified by the '0' column of FIG. 
7. Independent updating of the keys Kx would then yield new keys K'x as described above. 
[1104] As would be appreciated, even if the evicted user Uo obtained update request 
message Ed, security would not be compromised because the evicted user Uo would not be 
able to synchronously update new versions of the keys that he possessed. For this reason, in 
one embodiment, the update request message can be sent in an unencrypted form. 
(1 1 05] As described above, one of the compromised keys to be updated is the key K| 1 1 1 1 • 
Key Ki I III is the key that is known by all of the users U0-U7 in the RPS group. As such, in 
one embodiment, key Kn 1 1 1 can be used as the common leaf-type node key D (see FIG. 3B). 
[1106] Upon eviction of user Uo, key Km, 1 is independently updated by both the key 
server and non-evicted users U0-U7 through the calculation of K' , , , 1 1 = F(K, , , , , , K, , „o). The 
updated key K'nm then represents the new common leaf-type node key D. This new key 
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can then be used to acquire the new keys for interior nodes B and A in accordance with the 
particular key distribution method (e.g., LKH, OFJ, and OFC). As noted above, when a new 
user is added into the vacant slot formerly occupied by user Uo, an additional eviction of user 
Uo occurs just prior to the addition of the new user. This ensures that the new user does not 
have access to prior communications that occurred after the first eviction of user Uq. 
[1 1 07] In an alternative embodiment, the RPS group is based on a power set that does not 
include the element {Uo, U,, Uz, . . ., Un}. Thus, the power set would have a set of 2^ - 2 
elements. The initial secret (or key) that is shared by the RPS group members is then 
provided by the key server. When a user is evicted, then the new RPS group key is a blinded 
key. Specifically, the key known by all of the non-evicted users is blinded using a one-way 
function. 

11108] For example, if user Ui is evicted, then the key known by all of the non-evicted 
users IS the key Kmoi. This key is then blinded using a one-way fUnction G. The blinded 
key is then used as the start of the key distribution process in replacing the compromised 
keys in the interior nodes. 

[1109] If users U2 and U3 are subsequently evicted, then the key known by all of the non- 
evicted users is the key K'looi i- This key is then blinded using a one-way function to yield 
G(K'iooii)= G(F(K]ooii, Kioooi). The new blinded key is then used as the ^tgrt of the key 
distribution process in once again replacing the compromised keys in the interior nodes. 
(11 10] As described, the RPS group enables the RPS group members and the key server 
to determine a new RPS group secret independently. This process obviates the need for key 
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distribution messages that would have been used to update the portion of the hierarchical tree 
that the RPS group structure replaces. Bandwidth is thereby conserved. 
[1111] An illustration of the impact of self-repairing groups on key distribution is 
provided in FIG. 13. FIG. 13 shows how four variables vary in an OFC tree with RPS 
groups at the leaf nodes as the average number of members per RPS group varies. If there is 
one member per RPS group, then that is equivalent to not having self-repairing groups at all. 
As illustrated, the number of encryptions that are sent out in a multiple eviction dramatically 
decreases through the use of self-repairing groups at the leaf nodes of a tree. This is due to 
the fact that self-repairing groups, as graphically illustrated in FIG. 5, remove the lowest 
levels of a tree. In a multiple eviction in which many members are evicted, most of the 
encryptions correspond to nodes toward the bottom of the tree because the number of nodes 
at each level of a binary tree doubles at each succeeding level. 

11112] While the invention has been described in detail and with reference to specific 
embodiments thereof, it will be apparent to one skilled in the art that various changes and 
modifications can be made therein without departing from the spirit and scope thereof In 
particular, it should be noted that while the above description was stated in the context of 
encryption keys, the principles of the present invention can be appUed to any application 
environment that uses shared secrets. Thus, it is intended that the present invention cover the 
modifications and variations of this invention provided they come within thr scope of the 
appended claims and their equivalents. 
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